In this first of a series of articles on driving down the financial risk associated with the entry in force of the General Data Protection Regulation (GDPR) on May 25, 2018, we begin by focussing on the immediate problem at hand – a potential suspension of the EU-U.S. Privacy Shield agreement as early as September 1.
On July 5, the European Parliament passed a resolution directing the European Commission to suspend the Privacy Shield on September 1 unless a number of recommended corrective actions are taken with respect to the framework, including, without limitation:
- Making the Privacy Shield fully compliant with the GDPR and EU law as interpreted by the Court of Justice of the European Union; and
- Making the Privacy Shield fully compliant with the recommendations made by the Article 29 Working Party (WP29, now the EDPB) on November 28, 2017. See below for details.
Click here for the complete text of the July 5 Resolution. Clauses 31- 36 at the end contain the official wording in summary of the actions the Commission is called upon to take.
Since no one can predict the outcome of the U.S. government’s responses nor of the Commission’s actions, it would be prudent for a Privacy Shield-certified company to begin to generate alternatives ahead of time.
In this article we look at three alternatives to the EU-US Privacy Shield that U.S. companies should consider as mechanisms for legally transferring EU personal data to the United States — in accordance with GDPR.
This analysis is not just for Privacy Shield self-certified companies. The recommendations could apply to many other companies working in the current GDPR climate.
A. What Has Happened?
On June 11, the Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) at the European Parliament passed a motion recommending that the European Commission suspend the application of the Privacy Shield unless the US meets its obligations under the (Privacy Shield) framework in full by the end of summer. The European Parliament voted on the text of the motion on July 5th. Chair of the LIBE Committee, UK MEP Claude Moraes, said, as quoted in IAPP Dashboard of July 6th, 2018: “This resolution makes clear that the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. Progress has been made to improve on the Safe Harbor agreement but this is insufficient to ensure the legal certainty required for the transfer of personal data. The law is clear and, as set out in the GDPR, if the agreement is not adequate, and if the U.S. authorities fail to comply with its terms, then it must be suspended until they do.”
Further analysis and comments from the Department of Commerce and others can be found here on the IAPP website in the July 6 article by Jennifer Baker.
The Charter of Fundamental Rights and Freedoms of the EU enshrines certain political, social, and economic rights for EU citizens. One of those fundamental rights is the right to privacy and to the protection of personal data. The LIBE Committee is a standing committee of the European Parliament that is responsible for protecting civil liberties and human rights, including data protection, as listed in the Charter.
How will the US respond?
Even if FTC may make many required administrative and compliance changes to meet the EU requirements, some have doubts whether the U.S. surveillance programs already conform and whether the current U.S. Administration will agree to make their surveillance programs comply with EU requirements.
B. Why Now?
The LIBE Committee has been working on this recommendation since January 2017. Key parts of their recommendations align with the November 28, 2017 report (WP 253) of the Article 29 Working Party (WP 29, now the European Data Protection Board (EDPB)). The EDPB, which is composed of the heads of all the Member States’ national data protection supervisory authorities, stated that the EDPB would initiate court action if the U.S. doesn’t correct those deficiencies – and had absolutely no intention of requiring compliance “in full”. Click here for a brief summary of that November 28, 2017 report.
C. What Will We Lose?
American companies that self-certified under the Privacy Shield will lose the right to receive and process personal data of EU persons in the United States.
Transfers of personal data by businesses out of the EU are illegal, except to countries whose privacy protection regimes are deemed to be “adequate” in relation to EU data protection laws, which now includes the GDPR.
According to Article 46 (1) of the GDPR:
“In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”
Therefore in the absence of an adequacy decision to transfer data of EU persons to another country, companies wishing to process personal data must undertake the expensive and complicated efforts Binding Corporate Rules (BCR’s) or include Standard Contractual Clauses (Model Clauses) in all relevant contracts.
The EU-U.S. Privacy Shield is the program that the U.S. has negotiated with the EU to give assurances to the EU that companies have put in place adequate safeguards for the protection of EU data, that the U.S. FTC will oversee and monitor self-certified companies’ compliance with the program, and that the U.S. government is not, and will not, be engaged in mass surveillance of EU persons:
“The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce,” according to the United States Federal Trade Commission, Privacy Shield Welcome Page found here.
In the U.S., companies that register with the Department of Commerce and agree to follow seven Principles of data protection and communication with data subjects, as embodied in the EU-U.S. Privacy Shield, are allowed to process EU persons’ data in the U.S.. See the U.S. privacy Shield website here.
Prior to the GDPR coming into effect on May 25, 2018, these companies had been sheltered from EU Regulatory authorities in a number of ways – starting with the predecessor to the Privacy Shield – Safe Harbor, which was adopted in 2000, i.e. over 15 years ago.
- One way companies were sheltered from EU regulatory oversight is that they did not have to abide by EU law – only by the seven Principles.
- Deficiencies in data protection of data processed in the U.S. were the responsibility of the FTC – not the EU. Fines levied in the U.S. typically were in the five-figure dollar range. An example of that is the $18,000 per day the FTC can fine a company for deceptive advertising – such as falsely claiming an EU-U.S. Privacy Shield certification.
- Another way that these companies were sheltered is that EU data subjects’ complaints had to be handled by a U.S.-style arbitration process following U.S. law. There was little incentive to take a case to an EU court because the 1995 EU Privacy Directive penalties, which often were in the 10s of thousands of dollars, were very low. Too low to be worth the high cost of litigation.
- Transfers to third parties were to be governed by a contract – a contract that commits the 3rdparty to exactly the same level of data protection as the EU-U.S. Privacy Shield-certified company must provide.
In summary, prior to GDPR, the Privacy Shield allowed U.S. companies to process personal data with the risk that a bad finding in the EU would lose them the ability to process personal data in the U.S. The change as of May 25 is that while the EU-U.S. Privacy Shield is in effect, fines issued by national supervisory authorities in the EU can now be levied directly against U.S. entities, and litigated in European courts. The FTC enforcement of Privacy Shield remains in effect until (and if) the program is struck down.
It was not a given that a shelter from the GDPR provided by the EU-U.S. Privacy Shield would remain forever, and that, given time, the GDPR would replace the EU-U.S. Privacy Shield’s 7 Principles. That transition time could have been used to transition to the inevitable GDPR compliance for all of a company’s systems.
The LIBE Committee’s recommendation and the July 5 vote ended that hope. We now have a short time while the EU and the U.S. negotiate and attempt to put in a place a new transfer mechanism.
Commissioner Jourova, in her comments during the debate and after the vote, stated that October 18 would be the target date for the decision. Click here for the July 6 National Law Review article highlighting Commissioner Jourova’s comments.
D. Three Paths a Privacy Shield Certified Company Should Consider Going Forward – Starting Now
To keep operating under the Privacy Shield, if it is not cancelled, will require full adherence to the GDPR. 3 alternative routes may be considered in preparation for the converse:
- The Conventional Route – Transferring data using another mechanism deemed valid under Article 46(5) of the GDPR
- The Bold Route – Transferring data to the U.S. through Canada
- The Innovative Route – Transferring data to the U.S. via a Front End Processor based in the EU
- The Conventional Route – Transferring data within the GDPR framework
Articles 45 through 50 of the GDPR describe a selection of processes and alternatives. Two of these are central to this discussion.
- Standard Contractual Clauses (SCCs, or Model Clauses) were created and approved by the EU Commission, the administrative arm of the EU Parliament.
These are clauses that need to be added verbatim to any contract including transfer of personal data to a location outside of the EU. While these contracts haven’t been updated to reflect the GDPR changes, they can continue to be used is their current version. Click here for an explanation from the EU website. These are a good choice — for small companies in particular. These are good for transfers to almost any country and require no prior approval by an EU body. They may however be operationally challenging for large or complex data eco-systems as they must be present in every data processing agreement or contract.
Their validity can be ascertained from the GDPR Article 46(5):
Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority.
When these Model Clauses are updated to fit the GDPR, they will require updates to companies’ systems and processes involved in the processing of EU personal data to ensure that these continue to meet the GDPR requirements. All entities operating under SCC’s will be subject to the regulatory oversight, fines and penalties of the GDPR.
That presents a heightened financial risk.
- Binding Corporate Rules (BCRs) are instruments generally used by large companies. They cover the intra-group processing EU persons’ data. There are only about 100 companies that signed up to use BCRs over the last 15 years. These BCRs require the approval of a national supervisory authority from within the EU. Click here for an explanation from the EU Commission’s website.
They require all recipients to be fully GDPR compliant and bear the same financial risk as Standard Contractual Clauses (Model Clauses), listed above.
BCRs have been updated already to fit the GDPR. Click here for details.
The conventional route above can be expensive. Can we find a better way?
- The Bold Route – Transferring data to the US through Canada
Canada is one country for which the EU Commission has issued a decision of adequacy. Transfers of EU personal data to Canada (or other of the 11 countries that the Commission has made an Adequacy Decision) is therefore much simpler, less expensive and burdensome than via the adoption of BCRs or the signature of SCCs.
Best practice in Canada would be to do a Data Protection Impact Assessment (DPIA) to identify and make recommendations for privacy risk mitigation in Canada. This will document data flows and require records of the data transfers. But DPIAs are generally only a best practice and not a legislative requirement. Based on the adequacy finding, the EU Commission considers that Canadian law provides adequate protection to EU data subjects’ personal data.
The GDPR has extraterritorial effect, meaning that a violation of the GDPR outside of the EU will be subject to GDPR. That may mean heightened records management and security requirements for data processors in Canada. Companies in this position should work with their EU partners to ensure that they have appropriate mechanisms in place so that EU data subjects can exercise their rights through the data chain.
The financial risk that the company is subject to is simply the financial risk of processing personal data in Canada – right now. Canada’s adequacy status will be reviewed by 2020, for the second time since it was issued in 2000. The last review was in 2006. Click here for a review of formal EU communications on Adequacy between the EU and Canada at present. Aside from the required adherence to the GDPR, Canada’s government surveillance protections are likely to be critiqued against the full GDPR profile. These already have been criticized by privacy activists here and abroad. Click here for a comprehensive analysis of both the Privacy Shield and Canadian Adequacy issues, by Gabe Maldoff and Omar Tene. Click here for the latest Adequacy Referential that WP 29 provided as a guideline for future Adequacy determinations.
Nobody can know for sure what the fate of the Canadian adequacy finding will be. Until that is determined, it is a valid and more affordable means of complying with EU laws.
Onwards transfers are easy
Once the EU subject’s data has “landed” in Canada, it can be immediately transferred out of Canada to any other country simply with a detailed contractual commitment by the receiving company to the originating company — to protect the data at the level required under Canadian law. Note that a breach by the receiving company would still be seen as subject to the GDPR, but that so long as the Canadian company remained in compliance with Canadian law and that the processing contracts contained the appropriate stipulations for operational data protection, it would likely not be exposed to GDPR consequences.
No Full GDPR Implementation Required?
Probably not for the immediately foreseeable future. The Canadian adequacy determination should be revisited by 2020. Canadian government entities are already deep into the planning cycle about what Canada must do to maintain Canada’s status, including changes to PIPEDA, the Canadian federal privacy law that provided the basis for the original Adequacy decision.
A company choosing the Canada route will likely have until 2020 to prepare for a Canadian-regulated GDPR equivalent. This delay can be leveraged to combine GDPR upgrades with upgrades to sometimes decades old legacy IT systems — to achieve better integration of both.
Further, the Canadian fines and penalties for breaking the law will be at Canadian levels and principles – not the “proportional, effective and dissuasive” principle embedded in EU law — where the size of the company plays a large role in the size of the fine. That being said, egregious violations of Canadian privacy law may trigger a review of the processor by the appropriate EU data processing authority and a claim of GDPR applicability.
Therefore, the bold alternative generates much lower financial risk, both for now and the future – pending the results of the next adequacy review by the EU.
- The Innovative Route – Transferring data via a Front End Processor based in the EU
In this section we will take a look at how combining Consumer to Business (C2B) data flows into Business to Business (B2B) data transfers can reduce financial risk even more.
As we noted at the beginning of this article, direct C2B data flows from the EU to a target country require GDPR compliance by the receiving entity.
Consider the following: What if the C2B data flows were directed to a Front End Processor (FEP), a controller located in the EU? The FEP module could perform a variety of useful task such as Authentication, Consent Management, indeed, virtually all of the Rights and Freedoms management for an EU data subject.
The consolidated data stream can then be forwarded to an adequacy status country as its ultimate destination — legally.
In this case, only the FEP module needs to be GDPR compliant right now – not the many legacy systems located in the target country who have been collecting the C2B traffic themselves directly — who all needed to be compatible with the GDPR – until now. The legacy systems would only need to meet the requirements for the interface with the FEP. This could be specified through API calls or very specific and limited data flows.
Furthermore, the FEP module is a great place to harden as a Cybersecurity gateway – that can root out malware prior to being transferred to the more vulnerable older back end systems in the target country. More on Cybersecurity in Part 2 at a later date.
We looked at the possible risk to the continued existence of the EU-U.S. Privacy Shield. We then reviewed 3 routes for replacing the Privacy Shield:
- The Conventional Route – Transferring data within the GDPR framework
- The Bold Route – Transferring data to the U.S. through Canada
- The Innovative Route – Transferring data via a Front End Processor based in the EU
We showed that by expanding the ecosystem to include broader ways of looking at processing and transferring personal data, potential solutions can be implemented rather quickly. They can reduce financial risk as well.
For questions or further conversations on any of the subjects described above, please contact any of authors at the coordinates listed below.
Acknowledgements are made to the IAPP for providing ease of access to certain EU links and to other informative links on their website.
Stephan Grynwajc, Founder and Managing Partner of the Law Office of S. Grynwajc, PLLC, is a European (France and UK), U.S. and Canadian privacy lawyer based in New York City. His practice focuses on helping clients comply with EU, Canadian and U.S. laws, and particularly on assisting U.S-based clients in navigating the EU privacy landscape, from complying with the new EU General Data Protection Regulation to ensuring their privacy practices also meet the requirements of any national derogations adopted by EU member states in furtherance of the GDPR. Stephan also advises clients on developing global privacy documentation, policies and procedures, and on drafting internationally compliant privacy policies and statements.
Prior to opening his practice, Stephan worked in-house for 15 years, occupying a number of senior in-house counsel positions with U.S. technology companies in the EU and the U.S., including Intel and Symantec.
He is an active member of the American Bar Association’s Section of International Law, in which he recently served as a co-chair to the Privacy, Cybersecurity and Virtual Rights Committee. Stephan can be reached at email@example.com
Sholem Prasow, Director, Bayview Insight Management Inc.,specialized in Engineering Science at the University of Toronto and Operations Research at the University of Pennsylvania. His career spanned strategic assignments in business process modeling and strategic planning across a number of industries. His current focus is on the impact of Privacy on Cybersecurity — and vice versa.
Recent efforts included a response to a draft guidance identifying cybersecurity weaknesses in certain Rights and Freedoms requirements in the WP 29 Data Portability guidance to GDPR – a response that was reflected in the final guidance. At SINET 67 in New York he moderated a panel on the subject of: “What CEOs should know about privacy. (Here’s one big thing: GDPR will affect you.)” Sholem can be reached at: firstname.lastname@example.org.
Ariel Silverstone, External Data Protection Officer and Managing Director at Data Protectors (U.S. and EU), has been addressing business information privacy, security and risk challenges for over 20 years. As a designer of information privacy and security processes and policies to address the most demanding challenges in the field, he is a pioneer in information security strategy and engineering, business risk, and management solutions.
Previously, he was the Vice President for Security Strategy, Privacy and Trust at GoDaddy; contributed to the Cloud Computing security strategy Microsoft; and acted as the chief trusted security advisor to Cisco’s largest customers.
He has led information security efforts for a number of companies including Expedia, and Symantec. He is a speaker at industry events and appeared in The Wall Street Journal, BusinessWeek, CSO Magazine, ComputerWorldand other leading publications. He has authored and contributed to more than 20 books, dozens of magazines, electronic publications, and high-profile research papers. Ariel can be reached at: Ariel@gdprpros.com
John Wunderlich, BA, MBA, is an independent privacy and security consultant and researcher based in Toronto, Canada and the Chief Privacy Officer for JLINC Labs in Oakland, California. He is vice-chair of the IEEE P7002 Data Privacy Process Workgroup, a member of the Kantara Initiative Leadership Council, and a contributor to the Canadian Standards Committee for IT security and privacy standards. He is a Certified Information Systems Auditor, a Fellow of Information Privacy, and a trained Six Sigma Black Best. John can be reached at: email@example.com